Looks for advapi API functions

Hunt Hypothesis

The detection rule identifies potential adversary use of advapi API functions, which may indicate privilege escalation or system manipulation. SOC teams should proactively hunt for this behavior in Azure Sentinel to uncover stealthy lateral movement or persistence tactics that evade standard detection mechanisms.

YARA Rule

rule Advapi_Hash_API {
	meta:
		author = "_pusher_"
		description = "Looks for advapi API functions"
		date = "2016-07"
	strings:
		$advapi32 = "advapi32.dll" wide ascii nocase
		$CryptCreateHash = "CryptCreateHash" wide ascii
		$CryptHashData = "CryptHashData" wide ascii
		$CryptAcquireContext = "CryptAcquireContext" wide ascii
	condition:
		$advapi32 and ($CryptCreateHash and $CryptHashData and $CryptAcquireContext)
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

This rule contains 4 string patterns in its detection logic.

• Source Rule

False Positive Guidance

• Scenario: System Event Log Management
  Description: A system administrator is using the EventCreate function from the advapi32.dll to log events to the Windows Event Log.
  Filter/Exclusion: Check for EventCreate called with event IDs associated with standard system events (e.g., Event ID 6008 for system shutdown). Filter by process name like eventvwr.exe or wevtutil.exe.

• Scenario: Scheduled Task Execution
  Description: A legitimate scheduled task is using the CreateProcessAsUser function to run a script or application under a specific user context.
  Filter/Exclusion: Filter by process name such as schtasks.exe or taskhost.exe. Check for known scheduled task names or paths in the Task Scheduler database.

• Scenario: Windows Service Installation
  Description: An IT administrator is installing a Windows service using the sc.exe utility, which internally uses advapi32 functions.
  Filter/Exclusion: Filter by process name sc.exe or svchost.exe. Check for known service installation commands like sc create or sc config.

• Scenario: Group Policy Processing
  Description: The Group Policy Client service (gpsvc.exe) is using advapi32 functions to process group policy settings.
  Filter/Exclusion: Filter by process name gpsvc.exe or gpolc.exe. Check for known group policy-related activities or event logs related to policy refresh.

• Scenario: Security Software Configuration
  Description: A security tool (e.g., Microsoft Defender, CrowdStrike, or CrowdStrike) is using advapi32 functions to configure or update its settings.
  Filter/Exclusion: Filter by process names such as `MsMpEng